Most organizations opt for an incidence response , after a catastrophic cyber security event has taken place . Incidence response and threat hunting focus on events that happen after an endpoint is hit by a cyber attacks ,for example a malware infection . One of the main goals of a holistic approach for threat hunting and incidence response is to determine the extent of damages done by the attack and recover as much possible from it .

In this blog post , I will present a scenario of threat hunting and Incidence response out of a malware infection on an endpoint .

First step in threat hunting is to look for infection markers , and a basic way to figure out a malware infection is to look for any suspicious running processes

Quickly we are able to locate a suspicious running process named as
Pckntl.exe . This is what most people do next , upload the file to virus total, but often...

Request Packet format

Communication protocol for any malware lies at the core of its functionality . It is the essential way for any malware to communicate and receive further commands . Emotet has a complex communication format .
Its peculiarities are the way the protocol is built and sent across the network . Knowing internal details of its communication format is essential to keep tabs on it . In this post we are going to analyze Emotet communication format .


we will be skipping the unpacking and reconstruction part , as it is irrelevant to this topic of discussion .

In this post , we will be specifically looking for areas of interest in the binary , there will be some parts that are analyzed preemptively .

An unpacked emotet sample has around ~100 functions , as populated by IDA . Going through each of them to look for communication subroutines would be “A short in the dark”...

A taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary code as bait

Recently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring under scrutiny , as my monitoring script found it hard to locate a live c2 . Then suddenly something strange I noticed on the dashboard , the output c2’s from the configuration extraction script and the generated pcap were different

Output From config extraction

Pcap generated output

Notice the subtle difference between two outputs ?

A configuration extraction script is essentially an instrumenting script ( using windbg or a memory acquisition tool) to extract configuration ( c2’s , keys , campaigns, etc ) from a running malware binary . It’s sole purpose is to capture a pattern in a binary to extract certain parameters...

DEloader is a loader malware which is mostly used to load Zeus banking trojan . 
It is a stealth malware designed to keep the payload hidden and encrypted in the memory . A payload is dynamically retrieved from a remote https server 

So far there have been 3 versions of DEloader captured in the wild . Version 0x10E0700 , 0x1050500h and 0x1120300h. More recently in version 0x1120300h they added code obfuscation

Main loader file is a DLL with export named as ‘start’ or ‘begin’ . These exports are called by packer . Essentially because this DLL is memory loaded image , imports and images are relocated via the code in these exports

Earlier version included a share file map as a marker for infection . Shared file mapping would contain necessary information for the Deloader to run

If the mapping is found, the data from the map is fed to decoding algorithm which is based on Rc4 and...

Reverse engineering is about reducing the complex equation of binary code into na abstract understandable form . Dynamic and static analysis can speed up the process to a large extent , but they have their limitations when malware further tries to obfuscate and add an extra layer of protection to make analysis harder . Hiding import calls , obfuscated strings , use of visualized code are some of the techniques which hinder static analysis ,even when binary is finally stripped to its original form . These entities are dynamically retrieved by a malware sample 



Often times writing scripts is further required to recover hidden entities ( imports, strings , opcodes etc.)

Below is an example of Tofsee spam bot , which features string obfuscation . Strings in this trojan are dynamically generated using a simple algorithm which extracts them from an encoded data buffer .

An easier...

Often we come across times where binary reconstruction while analyzing malware / unpacking malware is required . Taking leverage of automated tools is not always useful, sometimes manual reconstruction is required. In this blog we will cover up manual and automated binary reconstruction .

Reconstructing IAT from stolen API code

This technique is used to hinder IAT construction after malware finishes unpacking its code, but first we need to understand how IAT is implemented in PE (portable executable).

IAT basics

IAT (Import Address Table) is an internal structure in PE file . It consists of information to instruct windows loader to load and resolve dynamic link libraries and corresponding API function addresses. If you examine a PE file you will notice two pointers in the IMAGE_OPTIONAL_HEADER . One points to an internal structure _IMAGE_IMPORT_DESCRIPTOR a part of which further...

Use of Heavens Gate technique for switching between 32bit and 64bit

Packed file is compressed and encrypted using several layers , discussing that would be irreverent here . At one point of time the a DLL is extracted which is actually installed and registered in an infected machine .
DLL happens to be a Component Object Model (COM) Binary DLL.

Entry point of the module is used for initialisation and sets some Named Events for checking an already running instance.

One important feature of Vawtrak is the use of Heavens gate for making 64bit calls though 32bit code . Basically in this technique , we make a far jump/call to segment 33h to land in 64bit environment under wow64 and segment 23h to come back to 32bit as mentioned here : http://vxheaven.org/lib/vrg02.html

As Vawtrak DLL comes in form of a 32bit PE file only . It makes heavy use of heavens gate to implement code...

Recently I came across not so well known downloader trojan . While analysing many interesting things were revealed. Download starts by enumerating a specific list of mutexes opened by all process and if found that particular process is terminated .

Followed by generating Install ID and Installer Subroutine . Install ID is generated using a call to GetTickCount() API

It makes connections to a list of c2 server hardcoded in the binary itself . List may contain 2-3 c2 servers . URI is formatted in this way FOLDER/?user=[InstallID]&id=1&type=5&key=[randomly generated key]

key is generated using a sequence of (GetTickCount() * 1664525 ). This key is later on used to decode a payload sent by c2 server .

C2 replies with an encoded binary buffer . This Buffer is decoded using the same key mentioned above

To decode the payload , we will use a very nice 010 Editor Script...

Cutwail Spam component is a part of PushDo Botnet . Recently I was analysing Cutwail and came across an interesting patch reporting functionality in Cutwail .

It starts with Fixing IAT ( Import Address Table ) to correct corresponding addresses . This is done because this component of PushDo is loaded and executed through process Tunnelling / RunPE method

It also sets up MAC address and a UDP socket for communication . MAC address is packed into a single 4byte Integer

When a crash occurs a custom exception handler collects the related information in the following structure

pragma pack(1)
struct Crashpacket
{
    DWORD MacAddress;
    struct _EXCEPTION_RECORD ExpRecord;
    struct CONTEXT ContextRecord;
    DWORD NoOfStackFramesRead;
    DWORD CallChainRecord[20];
};

MacAddress is retrieved from variable set earlier . _EXCEPTION_RECORD is an inbuilt structure which...